The hackers behind a recent attack on Facebook gained access to information of about 29 million people, the company said Friday, and that’s just the beginning.

advertisement

For 14 million people, they grabbed profile data, including:

gender

religion

hometown

education

employer

device types

the most recent 10 places they were tagged in or checked themselves into

15 most recent searches

contact information including email addresses and phone numbers

For another 15 million, they accessed only names and contact information.

The hackers also grabbed digital tokens letting them impersonate another 1 million users, but didn’t actually get any information about them, according to a Facebook blog post. All of those tokens have since been invalidated.

Users can check on Facebook’s site to see what information was stolen, if any, from their accounts. The company advises affected users to watch out for scammy emails or phone calls potentially using the information obtained from Facebook.

The company continues to investigate and says it hasn’t “ruled out the possibility of smaller-scale attacks” on the site.

“As we look for other ways the people behind this attack used Facebook, as well as the possibility of smaller-scale attacks, we’ll continue to cooperate with the FBI, the US Federal Trade Commission, Irish Data Protection Commission, and other authorities,” according to the company.

Separately, Facebook said Thursday it had disabled dozens of accounts and profiles linked to Russian data firm SocialDataHub for unauthorized data collection, Reutersreports.